Technical Field
The present disclosure generally relates to security tools, and more particularly to detecting the vulnerability of applications that use software libraries.
Description of the Related Art
Compact, feature specific software applications, commonly referred to as “apps,” have become ubiquitous on a wide array of computing devices, including smart phones, tablets, televisions, and other devices, collectively referred to herein as user devices (UD's). With the ever increasing number of available applications on different platforms, they can represent a significant security risk when stored on a computing device. Given the open nature of some application platforms, applications may come from a wide variety of sources and may not be rigorously tested for vulnerabilities.
One potential source of vulnerability is through software libraries, open source or otherwise. In addition to the standard libraries supported by any given programming platform, such a Java, there are many other proprietary and open source libraries available to program developers. Use of these libraries is attractive for reducing development time and increasing the availability of features and common interfaces. However, not all libraries are safe. Indeed, since libraries may be widely distributed, they can be an easily accessible source of attack by hackers and/or malware. Nefarious programmers may intentionally distribute libraries that they know how to exploit. In some scenarios, a programmer may carelessly use libraries with known vulnerabilities. When such a library is used in an application program, the library is often statically linked to the application program. Thus, the libraries may be compiled into an executable package that is distributed to user devices, perpetuating the potential vulnerabilities to other UD's. Once these libraries are compiled into the executable software application, the actual code of the library may be obfuscated. In this regard, application developers are typically not required to identify what libraries they have used. Even if a programming language supports distribution in a human readable code, applications are often obfuscated to save space and/or prevent reverse engineering, which makes any integrated libraries difficult to detect. So, an end user downloading and using an application, may not be aware that a library with security concerns has been included in an application they are using on their UD. It is with respect to these considerations and others that the present disclosure has been written.